[ale] C question

Horkan Smith ale at horkan.net
Sat May 24 08:57:49 EDT 2014 

You might also want to restrict what a user could do via ssh on the 2nd server:

http://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login

http://www.wallix.org/2011/10/18/restricting-remote-commands-over-ssh/

http://cybermashup.com/2013/05/14/restrict-ssh-logins-to-a-single-command/

later!
   horkan

On Thu, May 22, 2014 at 05:37:32PM -0600, Robert L. Harris wrote:
> The reason for the "system" is just to see what value I'm getting out.
> 
> I have a perl script doing a bunch of processing which will be run by a
> couple different users.  One aspect of the perl script is to connect to
> another machine and run a command as a specific user.  Instead of having
> others know the passwd, etc.  I have a hostkey set up from my server as a
> non-privledged user to another system.  I want to have the C program setuid
> to the non-privledged user, ssh to the second server and run 1 command with
> the only variable being XXXXX.  More convoluted than I want but the safest
> method I can come up with to get just the output I need from the second
> server.
> 
> 
> 
> On Thu, May 22, 2014 at 5:31 PM, Ed Cashin <ecashin at noserose.net> wrote:
> 
> > In general, with this kind of stuff, you want to avoid using the
> > shell, so no use of "system" or other library calls that implicitly
> > run a shell.  The reason is that most programmers cannot anticipate
> > all the corner cases that allow unexpected things to happen when you
> > run a shell from your C program based on user data.
> >
> > But this extra information is making me less certain that I'm coming
> > up with the best feedback.
> >
> > Does it happen to be the case that you're using C because you want to
> > create an executable that you will make setuid root?
> >
> >
> > On Thu, May 22, 2014 at 7:12 PM, Robert L. Harris
> > <robert.l.harris at gmail.com> wrote:
> > > My main goal is to make sure someone doesn't run this command and pass it
> > > somethign like :     "15361; rm -rf ~/*"
> > > I will need another version where XXXXX can be any alpha-numeric
> > character
> > > too but the main concern is the moron doing something stupid.
> > >
> > > Robert
> > >
> > >
> > >
> > > On Thu, May 22, 2014 at 4:40 PM, Ed Cashin <ecashin at noserose.net> wrote:
> > >>
> > >> I'm not at a keyboard now, but strtol could do it all if you provide a
> > >> non-NULL end pointer. (That will make sense on reading the strtol man
> > page.)
> > >> Just subtract the end from the start and compare to 5,after specifying
> > base
> > >> ten.
> > >>
> > >> On May 22, 2014 6:17 PM, "Robert L. Harris" <robert.l.harris at gmail.com>
> > >> wrote:
> > >>>
> > >>>
> > >>> Anyone have a very simple C program source that given a command of :
> > >>>
> > >>> ./Validate XXXXX
> > >>>
> > >>>
> > >>> it will verify that XXXXX is a 5 digit integer and then execute
> > >>>
> > >>> system( "/bin/touch XXXXX");
> > >>>
> > >>>
> > >>>
> > >>> There's much more to it but I'm hung up on this.  Unfortunately I'm
> > not a
> > >>> C person.
> > >>>
> > >>> Robert
> > >>>
> > >>>
> > >>> --
> > >>> :wq!
> > >>>
> > >>>
> > ---------------------------------------------------------------------------
> > >>> Robert L. Harris
> > >>>
> > >>> DISCLAIMER:
> > >>>       These are MY OPINIONS             With Dreams To Be A King,
> > >>>        ALONE.  I speak for                      First One Should Be A
> > Man
> > >>>        no-one else.                                     - Manowar
> > >>>
> > >>> _______________________________________________
> > >>> Ale mailing list
> > >>> Ale at ale.org
> > >>> http://mail.ale.org/mailman/listinfo/ale
> > >>> See JOBS, ANNOUNCE and SCHOOLS lists at
> > >>> http://mail.ale.org/mailman/listinfo
> > >>>
> > >>
> > >> _______________________________________________
> > >> Ale mailing list
> > >> Ale at ale.org
> > >> http://mail.ale.org/mailman/listinfo/ale
> > >> See JOBS, ANNOUNCE and SCHOOLS lists at
> > >> http://mail.ale.org/mailman/listinfo
> > >>
> > >
> > >
> > >
> > > --
> > > :wq!
> > >
> > ---------------------------------------------------------------------------
> > > Robert L. Harris
> > >
> > > DISCLAIMER:
> > >       These are MY OPINIONS             With Dreams To Be A King,
> > >        ALONE.  I speak for                      First One Should Be A Man
> > >        no-one else.                                     - Manowar
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> > >
> >
> >
> >
> > --
> >   Ed Cashin <ecashin at noserose.net>
> >   http://noserose.net/e/
> >   http://www.coraid.com/
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
> 
> 
> 
> -- 
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris
> 
> DISCLAIMER:
>       These are MY OPINIONS             With Dreams To Be A King,
>        ALONE.  I speak for                      First One Should Be A Man
>        no-one else.                                     - Manowar

> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


-- 
Horkan Smith
678-777-3263 cell, ale at horkan.net

More information about the Ale mailing list